[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74652":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":23,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":30,"readmeContent":31,"aiSummary":32,"trendingCount":16,"starSnapshotCount":16,"syncStatus":33,"lastSyncTime":34,"discoverSource":35},74652,"paqet","hanselime\u002Fpaqet","hanselime","Ferries Packets Across Forbidden Boundaries 👀","",null,"Go",1153,186,8,4,0,6,16,50,18,19.82,"MIT License",false,"master",[26,27,5,28,29],"gopacket","kcp","pcap","tcpdump","2026-06-12 02:03:26","# paqet - transport over raw packets\n\n[![Go Version](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fgo-1.25+-blue.svg)](https:\u002F\u002Fgolang.org)\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-yellow.svg)](https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT)\n\n`paqet` is a bidirectional packet level proxy built using raw sockets. It forwards traffic from a local client to a remote server, bypassing the host operating system's TCP\u002FIP stack, using KCP for secure, reliable transport.\n\n> **⚠️ Development Status Notice**\n>\n> This project is in **active development**. APIs, configuration formats, and interfaces may change without notice. Use with caution in production environments.\n\n## How It Works\n\n`paqet` captures packets using `pcap` and injects crafted TCP packets containing encrypted transport data. KCP provides reliable, encrypted communication optimized for high-loss networks using aggressive retransmission, forward error correction, and symmetric encryption.\n\n```\n[Your App] \u003C------> [paqet Client] \u003C===== Raw TCP Packet =====> [paqet Server] \u003C------> [Target Server]\n(e.g. curl) (localhost:1080) (Internet) (Public IP:PORT) (e.g. https:\u002F\u002Fhttpbin.org)\n```\n\n`paqet` use cases include bypassing firewalls that detect standard handshake protocols and kernel-level connection tracking, as well as network security research. While more complex to configure than general-purpose VPN solutions, it offers granular control at the packet level.\n\n## Getting Started\n\n### Prerequisites\n\n- `libpcap` development libraries must be installed on both the client and server machines.\n - **Linux:** No prerequisites - binaries are statically linked.\n - **macOS:** Comes pre-installed with Xcode Command Line Tools. Install with `xcode-select --install`\n - **Windows:** Install Npcap. Download from [npcap.com](https:\u002F\u002Fnpcap.com\u002F).\n\n### 1. Download a Release\n\nDownload the pre-compiled binary for your client and server operating systems from the [Releases page](https:\u002F\u002Fgithub.com\u002Fhanselime\u002Fpaqet\u002Freleases\u002Flatest).\n\n### 2. Configure the Connection\n\n#### Finding Your Network Details\n\nYou'll need to find your network interface name, local IP, and the MAC address of your network's gateway (router).\n\n**On Linux:**\n\n1. **Find Interface and Local IP:** Run `ip a`. Look for your primary network card (e.g., `eth0`, `ens3`). Its IP address is listed under `inet`.\n2. **Find Gateway MAC:**\n - First, find your gateway's IP: `ip r | grep default`\n - Then, find its MAC address with `arp -n \u003Cgateway_ip>` (e.g., `arp -n 192.168.1.1`).\n\n**On macOS:**\n\n1. **Find Interface and Local IP:** Run `ifconfig`. Look for your primary interface (e.g., `en0`). Its IP is listed under `inet`.\n2. **Find Gateway MAC:**\n - First, find your gateway's IP: `netstat -rn | grep default`\n - Then, find its MAC address with `arp -n \u003Cgateway_ip>` (e.g., `arp -n 192.168.1.1`).\n\n**On Windows:**\n\n1. **Find Interface and Local IP:** Run `ipconfig \u002Fall` and note your active network adapter (Ethernet or Wi-Fi):\n - Its **IP Address**\n - The **Gateway IP Address**\n2. **Find Interface device GUID:** Windows requires the Npcap device GUID. In PowerShell, run `Get-NetAdapter | Select-Object Name, InterfaceGuid`. Note the **Name** and **InterfaceGuid** of your active network interface, and format the GUID as `\\Device\\NPF_{GUID}`.\n3. **Find Gateway MAC Address:** Run: `arp -a \u003Cgateway_ip>`. Note the MAC address for the gateway.\n\n#### Client Configuration - SOCKS5 Proxy Mode\n\nThe client acts as a SOCKS5 proxy server, accepting connections from applications and dynamically forwarding them through the raw TCP packets to any destination.\n\n#### Example Client Configuration (`config.yaml`)\n\n```yaml\n# Role must be explicitly set\nrole: \"client\"\n\n# Logging configuration\nlog:\n level: \"info\" # none, debug, info, warn, error, fatal\n\n# SOCKS5 proxy configuration (client mode)\nsocks5:\n - listen: \"127.0.0.1:1080\" # SOCKS5 proxy listen address\n\n# Port forwarding configuration (can be used alongside SOCKS5)\n# forward:\n# - listen: \"127.0.0.1:8080\" # Local port to listen on\n# target: \"127.0.0.1:80\" # Target to forward to (via server)\n# protocol: \"tcp\" # Protocol (tcp\u002Fudp)\n\n# Network interface settings\nnetwork:\n interface: \"en0\" # CHANGE ME: Network interface (en0, eth0, wlan0, etc.)\n # guid: \"\\Device\\NPF_{...}\" # Windows only (Npcap).\n ipv4:\n addr: \"192.168.1.100:0\" # CHANGE ME: Local IP (use port 0 for random port)\n router_mac: \"aa:bb:cc:dd:ee:ff\" # CHANGE ME: Gateway\u002Frouter MAC address\n\n# Server connection settings\nserver:\n addr: \"10.0.0.100:9999\" # CHANGE ME: paqet server address and port\n\n# Transport protocol configuration\ntransport:\n protocol: \"kcp\" # Transport protocol (currently only \"kcp\" supported)\n kcp:\n block: \"aes\" # Encryption algorithm\n key: \"your-secret-key-here\" # CHANGE ME: Secret key (must match server)\n```\n\n#### Example Server Configuration (`config.yaml`)\n\n```yaml\n# Role must be explicitly set\nrole: \"server\"\n\n# Logging configuration\nlog:\n level: \"info\" # none, debug, info, warn, error, fatal\n\n# Server listen configuration\nlisten:\n addr: \":9999\" # CHANGE ME: Server listen port (must match network.ipv4.addr port), WARNING: Do not use standard ports (80, 443, etc.) as iptables rules can affect outgoing server connections.\n\n# Network interface settings\nnetwork:\n interface: \"eth0\" # CHANGE ME: Network interface (eth0, ens3, en0, etc.)\n ipv4:\n addr: \"10.0.0.100:9999\" # CHANGE ME: Server IPv4 and port (port must match listen.addr)\n router_mac: \"aa:bb:cc:dd:ee:ff\" # CHANGE ME: Gateway\u002Frouter MAC address\n\n# Transport protocol configuration\ntransport:\n protocol: \"kcp\" # Transport protocol (currently only \"kcp\" supported)\n kcp:\n block: \"aes\" # Encryption algorithm\n key: \"your-secret-key-here\" # CHANGE ME: Secret key (must match client)\n```\n\n#### Critical Firewall Configuration\n\nAlthough packets are handled at a low level, the OS kernel can still see incoming packets on the connection port and generate TCP RST packets since it has no knowledge of the connection. These kernel generated resets can corrupt connection state in NAT devices and stateful firewalls, causing instability, packet drops, and premature termination.\n\nYou **must** configure `iptables` on the server to prevent the kernel from interfering.\n\n> **⚠️ Important - Avoid Standard Ports**\n>\n> Do not use ports 80, 443, or any other standard ports, because iptables rules can also affect outgoing connections from the server. Choose non-standard ports (e.g., 9999, 8888, or other high-numbered ports) for your server configuration.\n\nRun these commands as root on your server:\n\n```bash\n# Replace \u003CPORT> with your server listen port (e.g., 9999)\n\n# 1. Bypass connection tracking (conntrack) for the connection port. This is essential.\n# This tells the kernel's netfilter to ignore packets on this port for state tracking.\nsudo iptables -t raw -A PREROUTING -p tcp --dport \u003CPORT> -j NOTRACK\nsudo iptables -t raw -A OUTPUT -p tcp --sport \u003CPORT> -j NOTRACK\n\n# 2. Prevent the kernel from sending TCP RST packets that would kill the session.\n# This drops any RST packets the kernel tries to send from the connection port.\nsudo iptables -t mangle -A OUTPUT -p tcp --sport \u003CPORT> --tcp-flags RST RST -j DROP\n\n# An alternative for rule 2 if issues persist:\nsudo iptables -t filter -A INPUT -p tcp --dport \u003CPORT> -j ACCEPT\nsudo iptables -t filter -A OUTPUT -p tcp --sport \u003CPORT> -j ACCEPT\n\n# To make rules persistent across reboots:\n# Debian\u002FUbuntu: sudo iptables-save > \u002Fetc\u002Fiptables\u002Frules.v4\n# RHEL\u002FCentOS: sudo service iptables save\n```\n\nThese rules ensure that only the application handles traffic for the connection port.\n\n### 3. Run `paqet`\n\nMake the downloaded binary executable (`chmod +x .\u002Fpaqet_linux_amd64`). You will need root privileges to use raw sockets.\n\n**On the Server:**\n_Place your server configuration file in the same directory as the binary and run:_\n\n```bash\n# Make sure to use the binary name you downloaded for your server's OS\u002FArch.\nsudo .\u002Fpaqet_linux_amd64 run -c config.yaml\n```\n\n**On the Client:**\n_Place your client configuration file in the same directory as the binary and run:_\n\n```bash\n# Make sure to use the binary name you downloaded for your client's OS\u002FArch.\nsudo .\u002Fpaqet_darwin_arm64 run -c config.yaml\n```\n\n### 4. Test the Connection\n\nOnce the client and server are running, test the SOCKS5 proxy:\n\n```bash\n# Test with curl using the SOCKS5 proxy\ncurl -v https:\u002F\u002Fhttpbin.org\u002Fip --proxy socks5h:\u002F\u002F127.0.0.1:1080\n```\n\nThis request will be proxied over raw TCP packets to the server, and then forwarded according to the client mode configuration. The output should show your server's public IP address, confirming the connection is working.\n\n## Command-Line Usage\n\n`paqet` is a multi-command application. The primary command is `run`, which starts the proxy, but several utility commands are included to help with configuration and debugging.\n\nThe general syntax is:\n\n```bash\nsudo .\u002Fpaqet \u003Ccommand> [arguments]\n```\n\n| Command | Description |\n| :-------- | :------------------------------------------------------------------------------- |\n| `run` | Starts the `paqet` client or server proxy. This is the main operational command. |\n| `secret` | Generates a new, cryptographically secure secret key. |\n| `ping` | Sends a single test packet to the server to verify connectivity . |\n| `dump` | A diagnostic tool similar to `tcpdump` that captures and decodes packets. |\n| `version` | Prints the application's version information. |\n\n## Configuration Reference\n\npaqet uses unified YAML configuration for client and server. The `role` field must be explicitly set to either `\"client\"` or `\"server\"`.\n\n**For complete parameter documentation, see the example files:**\n\n- [`example\u002Fclient.yaml.example`](example\u002Fclient.yaml.example) - Client configuration reference\n- [`example\u002Fserver.yaml.example`](example\u002Fserver.yaml.example) - Server configuration reference\n\n### Encryption Modes\n\nThe `transport.kcp.block` parameter determines the encryption method.\n\n⚠️ **Warning:** `none` and `null` modes disable authentication, anyone with your server IP and port can connect.\n\n- **`none`** - Plaintext with protocol header (protocol-compatible)\n- **`null`** - Raw data, no header (highest performance, least secure)\n\n### TCP Flag Cycling\n\nThe `network.tcp.local_flag` and `network.tcp.remote_flag` arrays cycle through flag combinations to vary traffic patterns. Common patterns: `[\"PA\"]` (standard data), `[\"S\"]` (connection setup), `[\"A\"]` (acknowledgment).\n\n# Architecture & Security Model\n\n### The `pcap` Approach and Firewall Bypass\n\nUnderstanding why standard firewalls are bypassed is key to using this tool securely.\n\nA normal application uses the OS's TCP\u002FIP stack. When a packet arrives, it travels up the stack where `netfilter` (the backend for `ufw`\u002F`firewalld`) inspects it. If a firewall rule blocks the port, the packet is dropped and never reaches the application.\n\n```\n +------------------------+\n | Normal Application | \u003C-- Data is received here\n +------------------------+\n ^\n +------------------------+\n | OS TCP\u002FIP Stack | \u003C-- Firewall (netfilter) runs here\n | (Connection Tracking) |\n +------------------------+\n ^\n +------------------------+\n | Network Driver |\n +------------------------+\n```\n\n`paqet` uses `pcap` to hook in at a much lower level. It requests a copy of every packet directly from the network driver, before the main OS TCP\u002FIP stack and firewall get to process it.\n\n```\n +------------------------+\n | paqet Application | \u003C-- Gets a packet copy immediately\n +------------------------+\n ^ \\\n (pcap copy) \u002F \\ (Original packet continues up)\n \u002F v\n +------------------------+\n | OS TCP\u002FIP Stack | \u003C-- Firewall drops the original packet,\n | (Connection Tracking) | but paqet already has its copy.\n +------------------------+\n ^\n +------------------------+\n | Network Driver |\n +------------------------+\n```\n\nThis means a rule like `ufw deny \u003CPORT>` will have no effect on the proxy's operation, as `paqet` receives and processes the packet before `ufw` can block it.\n\n## Troubleshooting\n\n1. **Permission Denied:** Ensure you are running with `sudo`.\n2. **Connection Times Out:**\n - **Transport Configuration Mismatch:**\n - **KCP**: Ensure `transport.kcp.key` is exactly identical on client and server\n - **`iptables` Rules:** Did you apply the firewall rules on the server?\n - **Incorrect Network Details:** Double-check all IPs, MAC addresses, and interface names.\n - **Cloud Provider Firewalls:** Ensure your cloud provider's security group allows TCP traffic on your `listen.addr` port.\n - **NAT\u002FPort Configuration:** For servers, ensure `listen.addr` and `network.ipv4.addr` ports match. For clients, use port `0` in `network.ipv4.addr` for automatic port assignment to avoid conflicts.\n3. **Use `ping` and `dump`:** Use `paqet ping -c config.yaml` to test the connection. Use `paqet dump -p \u003CPORT>` on the server to see if packets are arriving.\n\n## Acknowledgments\n\nThis work draws inspiration from the research and implementation in the [gfw_resist_tcp_proxy](https:\u002F\u002Fgithub.com\u002FGFW-knocker\u002Fgfw_resist_tcp_proxy) project by GFW-knocker, which explored the use of raw sockets to circumvent certain forms of network filtering. This project serves as a Go-based exploration of those concepts.\n\n- Uses [pcap](https:\u002F\u002Fgithub.com\u002Fthe-tcpdump-group\u002Flibpcap) for low-level packet capture and injection\n- Uses [gopacket](https:\u002F\u002Fgithub.com\u002Fgopacket\u002Fgopacket) for raw packet crafting and decoding\n- Uses [kcp-go](https:\u002F\u002Fgithub.com\u002Fxtaci\u002Fkcp-go) for reliable transport with encryption\n- Uses [smux](https:\u002F\u002Fgithub.com\u002Fxtaci\u002Fsmux) for connection multiplexing\n\n## License\n\nThis project is licensed under the MIT License. See the see [LICENSE](LICENSE) file for details.\n","`paqet` 是一个基于原始套接字构建的双向数据包级代理工具,用于将本地客户端的流量转发到远程服务器。它绕过了主机操作系统的TCP\u002FIP协议栈,使用KCP协议实现安全可靠的传输。该项目采用Go语言编写,支持gopacket、kcp、pcap和tcpdump等技术,能够捕获并注入经过加密处理的TCP数据包,适用于高丢包率网络环境下的稳定通信。`paqet`适合于需要绕过防火墙检测标准握手协议及内核级连接跟踪的应用场景,以及网络安全研究领域。虽然配置比通用VPN方案更复杂,但它提供了对数据包级别的精细控制能力。",2,"2026-06-11 03:50:18","high_star"]